Never miss out on a great deal again. Set up deal alerts for your favorite stores, categories, or products and we'll instantly alert you when a new deal is posted. Here are a few of our most popular alerts. Give one a try.

Thread Details

Last Edited by rrmoore
January 12, 2016
at 01:10 PM

SD USERS REPORTING CREDIT CARD FRAUD VIA RAKUTEN SHOPPING SITE: 352

Many posts within SlickDeals have multiple threads about fraudulent credit card account transactions occurring within a few weeks of placing an order at Rakuten Buy.com. If you have been affected, please post your experience here so the magnitude of Rakuten Buy.com's apparent security breach and the impact on the affected Rakuten customers may be known. (Please save other issues, either regarding Rakuten, or other issues with credit card misuse to other posts.)

If you are one of the affected Rakuten customers, please make a post with (1) first date of the fraud transaction and (2) the most recent Rakuten.com order date (if there was one).
The most important thing however is to just be counted, if you're one of the affected customers.

(2) Many other users have been affected outside of the SlickDeals community
[Ref: Specialized Site Now Available: http://rakutenfraud.com/]

(3) The apparent security breach is not limited to just customers who placed orders. Several have reported credit card details were taken from their Rakuten My Account screen.
[Ref: 'Cletus81' Post #435, 'missmex1' Post #445]

(6) Almost 100% of all fraud reports are from customers who gave Rakuten their credit (or debit) card directly (rather than using payment gateways or other payment methods (gift cards, etc.)
[Ref: Thread postings.]

(7) Many customers were able to uniquely identify Rakuten as the source of the credit card theft.
[Ref: Many thread postings from customers using a one-time Virtual Credit Card Number, a new credit card only used at Rakuten, or a new Gift Card.]

(9) Using a Virtual Credit Card Number or Gift Cards at Rakuten may not be the best alternative.
[Ref: 'GPz1100' Post #205, Post #447, etc. Several affected customers posted their VCCN's later breach caused the credit card company to reissue a new card.]
[Ref: 'namlook' Post #449, etc. Hacker's later emptied the gift card or sold the balance on eBay.]
[Ref: 'bargainfinder09' Post #449 Must close VCCN out afterwards.]

(10) The apparent security breach still exists at Rakuten today, and a Rakuten customer order is not required to generate the subsequent CC fraud.
[Ref: 'Edxzxz' Post #583]

BOGOTA – "Local police are asking anyone who has used the website Rakuten.com, formerly Buy.com, to look out for suspicious charges on their credit cards." The police department started investigating three cases in which residents complained of fraudulent charges on their credit cards and has since discovered five additional victims, including one in New York City, Bogota Detective Sgt. Jonathan Misskerg said Tuesday. The single thread between the victims is that they have made purchases on Rakuten.com in the past three months, police said. The victims' names, Social Security numbers, dates of birth and credit card information were used to open accounts at online equipment suppliers, police said.

The purchases, made at five online stores, included gas valves and warehouse time clocks and totaled around $10,000, Misskerg said. The buyer was traced to an address in Bogotá, Colombia, Misskerg said. After the items were purchased, they were sent to an Englewood company, which then shipped the items to Colombia, Misskerg said. Police declined to identify the Englewood company, saying that the owner was cooperating with authorities and that it remained unclear whether he was part of the scheme. But since investigators first spoke with the company's owner, someone electronically deposited funds in the company owner's account — enough to cover the cost of shipping the items to Colombia, Misskerg said. "We've seized the packages and additional merchandise," Misskerg said Tuesday. "We are going to try to shut him down at this point."

Rakuten.com, a Japan-based online retail company completed its purchase of Buy.com, a California-based online market place, in July 2010. The website was rebranded as Rakuten.com this year. A company representative said Tuesday that the company had not been contacted by the local police, but that it would cooperate with authorities. "If there is a police investigation, we are not aware of it, and we have not been contacted," said Mark Kirschner, the company's executive officer for global marketing, adding that the company takes such reports "very seriously."

However, an online message board [SlickDeals.net] contains several comments from posters claiming to have used the website and complaining about fraudulent charges on their credit cards. Kirschner said the company was aware of the website and had made overtures, "without success," to those claiming to be affected. He urged those affected to contact the company's head of customer experience at 877-880-1030 ext. 2095. Kirschner said he was unaware of any security breach or hacking incident that could have compromised customers' information.

Starting about a month ago, rumblings began on the SlickDeals forums among people who had recently made purchases from Rakuten Shopping, the new brand name of the marketplace Buy.com. The purchases made were diverse, ranging from time clocks in Colombia to newspaper subscriptions in Cleveland to plane tickets in Germany. Something is very, very wrong here: hundreds of victims from recent months have come forward on Slickdeals alone.
'
Rakuten Shopping is a sort of online mall: the site allows other vendors to set up their own "marketplace" stores and sell items. Users have reported fraudulent credit card transactions after purchases from a variety of marketplace vendors.

Rakuten staff reach out to complainers on Facebook and even on the deal forums, asking victims to call in order to straighten things out. If they have a solution in progress, Rakuten has not let customers know, including victims. While talking too much about it publicly might compromise the investigations, victims are unhappy that the only thing they've heard from the company is "call us!" to people whose cards have been breached. Apart from the threads on the subject on shopping sites, victims have started their own site, the appropriately-titled RakutenFraud.com.

Community Wiki

When you are viewing Your Shopping Cart, be sure to click on "Proceed to Checkout" first, and THEN select PayPal or Google Wallet.

You CAN earn and use Super Points with Google Wallet.

You cannot use Super Points with PayPal.

Do NOT use Visa Checkout/V.me or Masterpass:

Visa Checkout: "While the Visa Checkout Account Service helps facilitate the transaction, the purchase or return of goods or services from a merchant in connection with your use of the Visa Checkout Account Service is solely between you and the merchant, and Visa is not a party to the transaction", see https://secure.checkout.visa.com/pages/terms

Masterpass passes over your payment information and does not process your payment. For evidence, visit https://masterpass.com/Wallet/Help, under Checkout, "What if the merchant doesn't accept the card I want to use at checkout?"

Can one use Super Points with V.me? Yes, but don't use V.me anymore (see above).

There have been multiple posts by rrmoore stating: "Many are reporting they did with PayPal and V.me; But you can't use existing points toward the deal." I read that to mean points cannot be used with V.me, which is incorrect. I am sure rrmoore made those posts to help people. I am also sure rrmoore has a strong sense of right and wrong because he so wants to get to the bottom of the problem. Accordingly, I hope he will go back to clarify his posts because Rakuten Super Points CAN be used with V.me.

Section (1): Ways to help Rakuten take ownership of the security breach:

Letter to the Editor at Fraud Magazine:http://www.fraud-magazine.com/let...ditor.aspx
ACFE is the world's largest anti-fraud organization and premier provider of anti-fraud training and education. Together with more than 65,000 members, the ACFE is reducing business fraud worldwide and inspiring public confidence in the integrity and objectivity within the profession.

Send a message to the Amex Public Relations Dept: Desiree Fish, Vice President, Public Affairs and Communications / desiree.c.fish@aexp.com
Send a message to the Discover Public Relations Dept: Jon Drummond, Public Relations, jondrummond@discover.com

Also, please consider adding an additional posting to http://rakutenfraud.com/ (after you've posted here, of course). With the dedicated site, you can use a different posting username if you wish and no registration is required.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Section (2): Ways to help police catch the identity thieves:

Get the address where your product from the fraudulent charge was shipped from your CC company and post the city to see if we have any matches: -- 'namlook'
1. North Brunswick New Jersey(I have a name and the full address but I won't post that here)

Call the defrauded merchant (might need police involvement with some) to obtain the IP Address of the Fraudulent Order -- 'Ids322' & 'Diamonique'

Those affected should contact Rakuten's head of customer experience at 877-880-1030 ext. 2095. -- 'epicd2012'
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Fraud Alerts on Credit Reports: For those who are a bit concerned/paranoid about ID theft, here is the FTC website on it. http://www.consumer.ftc.gov/featu...tity-theft
The first step they show is placing a temporary (90 days), free, fraud alert with 1 of 3 credit card companies: http://www.consumer.ftc.gov/artic...raud-alert
It that tells the creditor requesting your report to do additional due diligence. I think it's a free service but it automatically expires after 90 days. The creditor however is not required to do any additional verification, but they don't want to get lose money either.

What good do these calls do? Any resolution/progress/more information?

They'll explain to you how 128 bits encryption works and how is not possible your CC was compromised because of them. All this denial makes me believe they are either incompetent or the higher management is in it.

Too much denial when you have hundreds and hundreds of customers complaining of the same thing: Fraudulent CC charges AFTER rakuten.com purchases

Looks like I was also a victim. I made a purchase in early April and about 3 weeks later my card was used to buy train tickets. I was actually notified by an investigator from Amtrak, but I didn't know how my card compromised. I didn't make the connection with Buy/Rakuten until I saw this thread.

Just wanted to update everyone on what's going on. I got another call today from the Amtrak investigator and he told me that the person who used my card (and others as well) was arrested yesterday. He is apparently from Ghana and is now in custody in Newark, NJ. I told the investigator about the possible connection to Rakuten/Buy.com and he said he would look into it. They have the guy's cell phone and computer, so hopefully they'll be able to make some connection. The investigator also said that I might get contacted by the Newark prosecutor to confirm that the card had been used fraudulently. I'll post another update if I hear anything.

^^I had the same issue when I dealt with a nonstateside, incompetent citibank rep. A virtual # got compromised... She insisted on replacing the primary card.

I wasn't sure whether your situation was a result of a Rakuten purchase being made within a few weeks of the unauthorized charge. If it was, could you please confirm so you can be added to the list.

Regarding Citi canceling the original card, is it theoretically possible for someone else to use the same Virtual Card Number at the same merchant -- except with a different shipping address? For example: Could Boris steal your VCN, setup a new Rakuten.com account and use your VCN (along with your billing details) but with Boris' ship-to address (perhaps a UPS or FedEx outlet)? If Boris could do that, then I suppose the credit card companies would still have a vulnerability. I know they have to leave the door open for multiple VCN authorizations as a result of partial shipments (ex. Amazon).

Just wanted to update everyone on what's going on. I got another call today from the Amtrak investigator and he told me that the person who used my card (and others as well) was arrested yesterday. He is apparently from Ghana and is now in custody in Newark, NJ. I told the investigator about the possible connection to Rakuten/Buy.com and he said he would look into it. They have the guy's cell phone and computer, so hopefully they'll be able to make some connection. The investigator also said that I might get contacted by the Newark prosecutor to confirm that the card had been used fraudulently. I'll post another update if I hear anything.

Wow, that's incredible news! Thank you so much for sharing the details. By your pointing out this thread to the investigators, his charges may go from one to many more. In a plea bargain, he could point to the guy (or the site) he got the number from and the whole operation could be exposed -- and everybody in this thread will in some little way contributed to the case (and I'll look forward to a future episode of it on Law & Order). I wonder if Rakuten when then finally admit to the breach?

@highland1024, please come back and tell us about your experience "calling Rakuten."

I've been trying starting May 3, and have so far been unable to get any useful response. Three emails, two phone calls, voice mail with "verification department" not returned, e-mail to "verification department" not returned. I've spent quite a bit of time trying to let them know about my two virtual numbers that were misused, but I just get useless responses about 128-bit encryption, or, no response at all.

I appreciate the effort that is being made here.

Your situation, as with several others who used a unique Virtual Card Number with the Rakuten purchase, have shown explicitly irrefutable evidence that the breach was from Rakuten's web-site. It would appear, and Rakuten has confirmed that by not responding to you, that they have absolutely no excuse. They cannot put the blame back on you. They cannot also say that "it must have been another merchant".

Buying from the internet needs to become safer faster, we can do it by outing companies that screw up. Identity theft is not a joke. Share this information and pass it along if you have been affected! Or pass along the word. We won't deal with this company until they fix their issues!

I wasn't sure whether your situation was a result of a Rakuten purchase being made within a few weeks of the unauthorized charge. If it was, could you please confirm so you can be added to the list.

Regarding Citi canceling the original card, is it theoretically possible for someone else to use the same Virtual Card Number at the same merchant -- except with a different shipping address? For example: Could Boris steal your VCN, setup a new Rakuten.com account and use your VCN (along with your billing details) but with Boris' ship-to address (perhaps a UPS or FedEx outlet)? If Boris could do that, then I suppose the credit card companies would still have a vulnerability. I know they have to leave the door open for multiple VCN authorizations as a result of partial shipments (ex. Amazon).

My incident occurred about a year ago. Had nothing to do with buy.com/raketen. To this day, I still don't know which # was compromised as the reps never gave me that info, nor were they willing to reveal it when asked/demanded. I gave up eventually. These days anytime I contact customer service, if the rep has an accent, I request to speak to someone stateside.

As for citi's virtual account #'s, once a number has been authorized, it's tied to that merchant ID, so Ajay can't use it at bestbuy.com or someplace else. However, an employee at the originating merchant can potentially make use of it. I'm not sure how merchants/credit card processors handle situations where shipping addr is different from billing. I suppose it can be requested that this alternate shipping address be on the customer's profile somewhere otherwise it gets declined.

In part, the beauty of citi's and boa's (some other banks too) virtual number system is that you can generate numbers with specific expiration dates and dollar amounts. I'll usually generate a # for $5-10 over what my grand total should be. Not much can be bought for this even if the number does get stolen.

Edit: Knock on wood so far no fraudulent alerts on the number used. My order was just placed with them about 3 weeks ago, so probably need to give it time

Just wanted to update everyone on what's going on. I got another call today from the Amtrak investigator and he told me that the person who used my card (and others as well) was arrested yesterday. He is apparently from Ghana and is now in custody in Newark, NJ. I told the investigator about the possible connection to Rakuten/Buy.com and he said he would look into it. They have the guy's cell phone and computer, so hopefully they'll be able to make some connection. The investigator also said that I might get contacted by the Newark prosecutor to confirm that the card had been used fraudulently. I'll post another update if I hear anything.

keep us updated. he probably bought a plane ticket with a stolen card.

keep us updated. he probably bought a plane ticket with a stolen card.

Add me to the list. My PayPal MC was compromised a few months back...luckily I get emails every time it's used and noticed right away. Charges were made to BestBuy (laptop shipping to Georgia) and to Walmart- theses store seem to be a common theme. Although I can not be 100% sure it was Buy/Rakuten, my card details were stored there...although not anymore

I received an email warning of changes and work in IT, so I immediately began working to reverse the damage. By the time account was locked down 45 min into it, the individual had ordered a $2500 lenovo to a south beach hotel in miami. I had that itchy feeling over getting practically half off the cheapest internet price for that flashlight that arrives in the mail today. It seemed too good to be true to snag a flashlight that is $100 everywhere else for $60. It was.

The silver lining is that I had been suspicious of the Sams Club Discover security on their site recently. This proves how lax their card security is. So, decision made. There are lots of credit cards in the world...

I bought an SD card from them and someone hacked on my Discover account 7 days later. Someone changed my information just like someone did with your account. However, I acted right the way when I received the email that the email on my account was changed. No charged were made on my account by the time the card was cancelled. I still think it was an coincidence since I don't know how someone could hack into my discover account since the passwords that I used on discover.com and rakuten.com are different. That person has to know my 4 digit SSN in order to login and changed my password. I think my cell phone was hacked.

There was fraudulent use of my card # on May 1st for a JET AIRWAYS flight. The transaction details said something about Mumbai, India. I was wondering how that happened but seeing this thread makes me think it may have a connection with this since I did just recently make a purchase on rakuten.com last month when they had the $20 off $50.

Add me to the list. My PayPal MC was compromised a few months back...luckily I get emails every time it's used and noticed right away. Charges were made to BestBuy (laptop shipping to Georgia) and to Walmart- theses store seem to be a common theme. Although I can not be 100% sure it was Buy/Rakuten, my card details were stored there...although not anymore

I think their version of slick steals forum might have threads listing all the US stores and merchants that provide international shipping, and are easy targets. and people sharing experiences like the success rate of the stores. "FREE stuff from bestbuy and WalMart. Avoid fraud detection. Ships to Georgia. Overnight shipping available. Still works! YMMV"

people should report this to media stations. For example, ABC's I-team and/or 20/20 might be interested in carrying out their own investigation and do a tv special about it. Then rakuten would be forced to respond.